Uploaded image for project: 'Red Hat Internal Developer Platform'
  1. Red Hat Internal Developer Platform
  2. RHIDP-6198

resolve ECP violations due to RPMs

Create Doc EPIC for Fe...Prepare for Y ReleasePrepare for Z ReleaseXMLWordPrintable

    • Icon: Task Task
    • Resolution: Done
    • Icon: Blocker Blocker
    • 1.5.0
    • 1.5.0
    • Build, Operator, Release
    • None
    • 2
    • False
    • Hide

      None

      Show
      None
    • False
    • RHIDP-4735 - RHDH 1.5 Release
    • RHDH Core Platform 3270

      This violation occurs twice for the latest 1.5 and 1.6 operator builds (probably because we updated to a fresher base image):

      ✕ [Violation] rpm_repos.ids_known
  ImageRef: quay.io/rhdh/rhdh-rhel9-operator@sha256:70471b6297f2816ebb35f05c71a9d664d0b824abfdc029c624e4baaedd8aec4d
  Reason: RPM repo id check failed: An RPM component in the SBOM specified an unknown or disallowed repository_id:
  pkg:rpm/redhat/openssl@3.2.2-6.el9_5?arch=src&checksum=sha256:b58aa63f681560c0c4716ef22de299dcfd3219fd4de4b9f0d363648c59b92f37&epoch=1&repository_id=ubi-9-baseos-source-rpms
  Title: All rpms have known repo ids
  Description: Each RPM package listed in an SBOM must specify the repository id that it comes from, and that repository id must
  be present in the list of known and permitted repository ids. Currently this is rule enforced only for SBOM components created
  by cachi2. To exclude this rule add
  "rpm_repos.ids_known:pkg:rpm/redhat/openssl@3.2.2-6.el9_5?arch=src&checksum=sha256:b58aa63f681560c0c4716ef22de299dcfd3219fd4de4b9f0d363648c59b92f37&epoch=1&repository_id=ubi-9-baseos-source-rpms"
  to the `exclude` section of the policy configuration.
  Solution: Ensure every rpm comes from a known and permitted repository, and that the data in the SBOM correctly records that.

✕ [Violation] rpm_repos.ids_known
  ImageRef: quay.io/rhdh/rhdh-rhel9-operator@sha256:70471b6297f2816ebb35f05c71a9d664d0b824abfdc029c624e4baaedd8aec4d
  Reason: RPM repo id check failed: An RPM component in the SBOM specified an unknown or disallowed repository_id:
  pkg:rpm/redhat/openssl@3.2.2-6.el9_5?arch=x86_64&checksum=sha256:adea7d3b99a23d01925632de46597f90b9934f7f92b40c28f34ff5c501c6d8a6&epoch=1&repository_id=ubi-9-baseos-rpms
  Title: All rpms have known repo ids
  Description: Each RPM package listed in an SBOM must specify the repository id that it comes from, and that repository id must
  be present in the list of known and permitted repository ids. Currently this is rule enforced only for SBOM components created
  by cachi2. To exclude this rule add
  "rpm_repos.ids_known:pkg:rpm/redhat/openssl@3.2.2-6.el9_5?arch=x86_64&checksum=sha256:adea7d3b99a23d01925632de46597f90b9934f7f92b40c28f34ff5c501c6d8a6&epoch=1&repository_id=ubi-9-baseos-rpms"
  to the `exclude` section of the policy configuration.
  Solution: Ensure every rpm comes from a known and permitted repository, and that the data in the SBOM correctly records that.

      https://konflux.apps.stone-prod-p02.hjvn.p1.openshiftapps.com/application-pipeline/workspaces/rhdh/applications/rhdh-1/pipelineruns/rhdh-enterprise-contract-1-qgr2z/logs

      I assume the fix is to re-run rpm-lockfile-prototype -f Containerfile rpms.in.yaml to pull in updated pinned RPMs.

      Maybe this needs to be incorporated into the sync-midstream.sh script so we're always current?

              nickboldt Nick Boldt
              nickboldt Nick Boldt
              RHIDP - Core Platform
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

                Created:
                Updated:
                Resolved: